Jump to content

Should I report spam with modified subject?


jpp

Recommended Posts

My mail server adds "[spam]" in the subject of spam messages (using spamcop and others lists).

I can't correct them (too many messages: I use Okopipi on thunderbird to send them).

the server adds headers too but I think I can leave them

Should I send modified messages? I'm currently sending only unrecognized spam messages.

Thanks

Link to comment
Share on other sites

When I used spamassassin, spamcop accepted the reports and there was no problem about the added tag in the subject line, but that was a while back. If you want to be sure, then you will have to email the deputies. Please come back here and report what they say.

The only way that you can tell if the headers would upset the parser is to submit one and see (you don't have to send it if the parser gets confused).

If the extra headers do cause a problem, then just submitting those spam that get through filters is a worthwhile activity because it may put them on the scbl and be identified in the future. Some people who do not have a lot of time on their hands to submit spam, only report those that make it past filters.

Miss Betsy

Link to comment
Share on other sites

My mail server adds "[spam]" in the subject of spam messages (using spamcop and others lists).

I can't correct them (too many messages: I use Okopipi on thunderbird to send them).

the server adds headers too but I think I can leave them

Should I send modified messages? I'm currently sending only unrecognized spam messages.

This looks like a topic for lawyers but IANAL

My understanding is that you should not materially change the headers of the spam as it arrives with you. On that basis I think you should be OK submitting the reports you refer to. The addition of the [spam] flag in the subject isn't a significant change and the extra header lines are added by one of the servers en route to you so they should be left in place.

You should make sure your mailhosts are configured correctly to avoid reporting your own server(s).

Andrew

Link to comment
Share on other sites

The proposition that programmic additions to subjects and X-line insertions etc made by AV application etc. were not material alterations to the spam was floated in a topic Don was following some time ago without direct comment from him FWIW (ISP filtering mail and marking spam messages, Do I report these messages?). What he did say was

It sounds like you should be OK reporting those. As long as SpamAssassin is just adding informational headers and not changing the original spam headers to "localhost" info, SpamCop can find the true source of the spam.

The fact that your server is altering the body text is irrelevant. The only modifications SpamCop policy forbids is material alterations by the user after he gets the spam.

If you have any questions, send me email with the tracking URL from the top of the page when you process one of the spams and I'll be happy to take a look.

- Don D'Minion - SpamCop Admin - service[at]admin.spamcop.net

I believe that answers the question - report freely jpp - email Don (as Miss Bestsy suggested) if you are in any doubt.
Link to comment
Share on other sites

The proposition that programmic additions to subjects and X-line insertions etc made by AV application etc. were not material alterations to the spam was floated in a topic Don was following some time ago without direct comment from him FWIW (ISP filtering mail and marking spam messages, Do I report these messages?). What he did say wasI believe that answers the question - report freely jpp - email Don (as Miss Bestsy suggested) if you are in any doubt.

I've lately been seeing lots of Viagra spam with body text like this;

==========message start=========

Hi,

Vriagra 1,80

Crialis 3,00

Levritra 3,35

http://enounc.progenyid-com

Important: Replace "-" with "." in the above link

--

The fire, he now saw, had been lit in the grate. This surprised him.

Then he stopped moving and listened intently, for a mans voice spoke

within the room; it sounded timid and fearful.

==========message end=============

Spamcop does its usual best with the headers and sends reports to the open proxy which sent the mail. However, the link is not found unless I do as bid and replace the - with .

(sometimes it's a comma, or an ampersand, but always the dot before "com" is substituted.)

Domain names vary too, but seem to be subject to the rotating DNS trick detailed in other threads here. Something else these Spams share, is the closing paragraph is always an extract from a Harry Potter story.

Question - It it acceptable for me to insert the dot in the message body, so that Spamcop can try to find the spamvertised site?

C2H5OH

Link to comment
Share on other sites

Question - It it acceptable for me to insert the dot in the message body, so that Spamcop can try to find the spamvertised site?

C2H5OH

No you must leave the spam message as original as you can

Once SpamCop has parsed the message. You can by either doing a tracert and/or a second SpamCop reporting page you get an IP and abuse address just put in "notes" box

SPAMVERTIZED URL

http://enounc.progenyid.com

IP 58.61.152.101 ct-abuse[at]abuse.sprint.net abuse[at]gddc.com.cn anti-spam[at]ns.chinanet.cn.net

I managed to get this creep kicked out of Russian Web space. It is now in Chinese We space and have so far reported it a few dozen times Then Chinese wonder why n one wants email from them?

Link to comment
Share on other sites

Thanks for that petzl. BTW, I've just noticed that the spam munging is changing from simply replacing that last dot, to inserting an exclamation mark in the domain name "remove to make link work".

Any change to make the parser find something it normally would not is not allowed.

Link to comment
Share on other sites

But you can put the corrected email address in a blank spamcop submission form and hit "Process spam" to get the reporting address, then go to Preferences (top of browser window), Report Handling Options, then add the reporting address to the form at "Public standard report recipients." Reload the spam, and even though the spamcop parser won't recognize the email address with the exclamation point in it, it will still send a report to that address's ISP. Some of the ones I have run have traced to keyword.de, which refuses spamcop report, but some have gone to ISP's that seem to have pretty stringent acceptable use policies. I have to assume that if they are making potential customers go to extra trouble to link to their site, there is a good reason they don't want spamcop sending reports. You do have to re-trace the URL every time as they keep moving around.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...